OMG this. Bug bounties are laughably tiny money https://twitter.com/Fox0x01/status/1290953663737933824
A lot of folks get blustered by the high payout amounts "Look Apple might pay ONE MILLION dollars" but don't really appreciate the thing you have to have to get that is ... not just messing around to find a bug and then reporting it
Since it's topical, let's look at that $1m Apple payout and just how much work would be involved in getting to it
This is what you need to qualify for that payment. The requirements are:
* Zero-click launch
* Full kernel execution incl PAC bypass
* Persistence
* On latest hardware
That means in the average case, you need *three* full exploits, and that they all chain
* One to get entry on the device
* One to elevate to kernel
* One to persist on the device
That means a minimum of three high quality bugs in three very different areas of the device: one in some app (say, the messenger app), one in the kernel or a driver, and one that triggers in the boot sequence. Very different areas of security research
At each stage, those bugs are probably going to be either (a) a logic bug or (b) a memory corruption bug. Logic bugs are the best, because they work by themselves. Memory corruption bugs are more ubiquitous, but turning them into functional exploits is a lot harder
Turning a memory corruption bug into an exploit means overcoming the security mitigations in iOS designed specifically to make that process difficult. At minimum you'll need:
* An infoleak to bypass ASLR
* A bug that gives you control of the program counter
* A PAC bypass
Some memory corruption bugs might give you more than one of those, but often this means if you're building an exploit, you'll need more than one bug. At EACH of those three stages.
And remember: those stages are in really different places: initial entry, kernel-mode elevation, and boot sequence persistence, so it's *really* unlikely a bug in one of those exploits is going to be helpful in building an exploit in another.
A good example of an initial entry exploit is this one by @5aelo against iMessenger. The video is worth watching just for how involved building modern exploits is
But TLDR that exploit was:
* A bug in a serializer
* Using that to build a novel ASLR Oracle, based on sending large numbers of SMSes and triggering crashes
* A novel PAC bypass to get code execution on the device
So not just "bug hunting". And that's ONE of your THREE stages. That's *just* the initial entry!
Getting to your $1m prize is bug hunting in three entirely different security areas, exploit engineering against three different targets, and inventing or at least being on the bleeding-edge of novel security bypasses to overcome the security mitigations designed to stop you
So, ok, let's suppose you even get to that point. You have your "zero-click remote execution with kernel execution bypassing PAC with persistence on the latest device". Time to cash in and buy a plane, right? Not so fast.
First, $1.5m is an *upper bound* of what Apple will pay. $500k of that is dependent on Apple not being aware of those bugs -- even if they aren't patched yet. Apple just needs to be privately aware of them, and that's a big percentage of your payday
Of the $1m base payout, even that's an upper bound, with no real way to know in advance how close your chain would be to getting it. A *lot* of subjectivity and uncertainty in what payment you'd actually get for that chain.
Ultimately, to get to these kind of payouts, you realistically need a *team* of security researchers, each at the top of their game in their field, putting in a big chunk of a year of work, and your payment is extremely unstable and uncertain. Suddenly $1m doesn't sound so hot.
Let's look at a much more common exploitation scenario:
1) Break in via Safari
2) Elevate to root and steal data
3) Don't bother persisting past reboot

This is sort of the vanilla "phone exploit" before people add bells and whistles. How much will Apple pay for that?
That's still two full exploits. But now we have other problems collecting our payment. When nation states break in via a web browser, they really don't need you to click a link. But reporting the same bug via Apple, your bug is going to be classified in the "One Click" category.
So now we're in the $150k (non PAC bypass) or $250k (PAC bypass on latest models) territory. With all the caveats from before that these are subjective, uncertain and upper bounds
Anyway, my point is: these big payouts are not for sitting at home and reporting a bug you found on a Saturday. They're the engineering output of (teams of) world-class security engineers doing novel research for months and years, for a subjective, uncertain payout
And the upper bounds on these payments are usually less than these same researchers would make as salaried junior engineers at those same companies, never mind that they are enormous multiples away from what the defense market pays for identical product.
Also adding to this thread to point out that *all* of those exploits need to be live at the same time, and supposing that it takes you a year, that means maintaining and fixing up each of those exploits when they randomly break every version release, which is 6-7 times a year.
You can follow @pwnallthethings.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more